Discord.dll: successor to npm “fallguys” malware went undetected for 5 months

By Ax Sharma on November 09, 2020 vulnerabilities

6 minute read time

Sonatype has identified a series of counterfeit components in the npm ecosystem, Discord.
Read More...

Discord squashes critical Electron bugs: Open source attacks continue to grow

By Ax Sharma on October 21, 2020 Nexus Lifecycle

6 minute read time

Discord recently patched a set of critical vulns that could allow a skilled attacker to gain Remote Code Execution privileges on the users’ Desktop app.
Read More...

CVE-2020-17479: The return of Validation Bypass (CVE-2019-19507) in `jpv`

3 minute read time

While updating our data for CVE-2020-17479 in JPV, an open-source JSON schema validator, we discovered that the vulnerability could still be exploited with the.
Read More...

New in Nexus Repository 3.23: Nexus Intelligence via npm Audit

By Brent Kostak on May 13, 2020 npm

3 minute read time

Now developers can check for policy violations using the npm audit command built into the npm CLI, using the precise data of Nexus Intelligence.
Read More...

Nexus Platform - 2019 Year in Review

By Michelle Dufty on December 30, 2019 Sonatype Nexus

3 minute read time

We look back at features introduced in 2019 across Nexus Repository Manager and Nexus IQ Server (Lifecycle, Lifecycle Foundation, Firewall, and Auditor).
Read More...

The Dot Zero Conundrum and the New Frontier of Securing Open Source

By Brian Fox on September 24, 2019 code quality

3 minute read time

Sonatype is combining a new type of behavioral analysis with machine learning and proprietary data, creating early warning capabilities to detect malicious.
Read More...

Nexus Intelligence Insights: CVE-2019-0232 - Apache Tomcat CGI Servlet Remote Code Execution

By Elisa Velarde on April 26, 2019 vulnerability

3 minute read time

Learn about a very popular component used by developers worldwide. Say hello to CVE-2019-0232, a remote code execution vulnerability.
Read More...

Nexus Intelligence Insights: CVE-2014-3483 - SQL Injection in PostgreSQL adapter for Active Record against 'range' data type

By Elisa Velarde on March 29, 2019 vulnerability

3 minute read time

In this month's Nexus Intelligence Insights we discuss an older component that is used by millions of developers.
Read More...

Nexus Intelligence Insights: CVE-2014-3603 — Lack of Hostname Verification in OpenSAML

By Ax Sharma on February 26, 2019 vulnerability

3 minute read time

In this month's Nexus Intelligence Insights we discuss an older component, but one that is widely used across a variety of ecosystems, and has a vulnerability.
Read More...